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SECRET KEY GENERATION METHOD, ENCRYPTION METHOD, 
5 CRYPTOGRAPHIC COMMUNICATIONS METHOD, COMMON KEY GENERATOR, 
CRYPTOGRAPHIC COMMUNICATIONS SYSTEM, AND RECORDING MEDIA 



BACKGROUND OF THE INVENTION 

10 

Field of the Invention 

This invention relates to a secret key generation 
method for generating secret keys peculiar to entities, 
to an encryption method for encrypting information so 
15 that it will be unintelligible to any but an authorized 
party, and to a cryptographic communications method which 
performs communications with ciphertext. 



Description of the Related Art 
20 In today's world, characterized by sophisticated 

information utilization, important business documents and 

image information are transmitted and processed in the 

i 

form of electronic information over an infrastructure of 
computer networks. By its very nature, electronic 
25 information can be easily copied, making it extremely 
difficult to distinguish between the copy and the 
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original, and information security has become a very 
serious problem. The realization of computer networks 
which support "shared computer resources," "multi- 
access," and "broad-area implementation" is particularly 
5 indispensable to the establishment of a high-level 
information society. However, that very realization 
involves aspects which are inconsistent with the security 
of information exchanged between authorized parties. An 
effective technique for eliminating that inconsistency is 

10 encryption technology, which up until now, in the course 
of human history, has been primarily used in the fields 
of military operations and foreign diplomacy. 

Cryptography is the process of exchanging 
information so that its meaning cannot be understood by 

15 anyone other than the authorized parties. In 
cryptographic operations , the conversion of the original 
text (plaintext) that anyone can understand to text 
(ciphertext) the meaning of which cannot be understood by 
a third party is called encryption, and the restoration 

2 0 of the ciphertext to plaintext is called decryption. The 
overall system wherein this encryption and decryption are 
performed is |called a cryptosystem. In the processes of 
encryption and decryption, respectively, secret 
information called encryption keys and decryption keys 

25 are employed. A secret decryption key is necessary at 
the time of decryption, wherefore only a party 



knowledgeable of that decryption key can decrypt the 
ciphertext. Accordingly, the confidentiality of the 
information is maintained by the encryption. 

The encryption key and decryption key may be the 
5 same or they may be different. A cryptosystem wherein 
both keys are the same is called a common key 
cryptosystem, and the DES (Data Encryption Standards) 
adopted by the Bureau of Standards of the U.S. Department 
of Commerce is a typical example thereof. Conventional 
10 examples of such common key encryption schemes can be 
divided into the following three types . 

( 1 ) Type 1 

Methods wherewith all common keys to be shared with 
possible parties in cryptographic communications are held 
15 in secret. 

(2) Type 2 

Methods wherewith keys are mutually shared by a 
preparatory communication each time cryptographic 
communications are conducted (including Dif f ie-Hellman- 
20 based key sharing scheme, key distribution scheme based 
on public key schemes, etc.). 

(3) Typfe 3 

Methods wherewith disclosed identification 
information (ID information)) that specifies an 
25 individual, such as user (entity) name and address, etc., 
is used, and both the sending entity and receiving entity 

3 



independently generate the same common key without 
preparatory communications (including KPS (key 
predistribution systems ) , ID-NIKS ( ID-based non- 
interactive key sharing schemes) , etc. ) . 
5 Such conventional methods as seen in these three 

types of schemes are subject to the problems described 
below. With method 1, since all of the common keys are 
stored , this scheme is unsuitable for a network society 
wherein an unspecified large number of users become 

10 entities and conduct cryptographic communications. With 
method 2, there is a problem in that preparatory 
communications are required for key sharing. 

Method 3 is a convenient method because it requires 
no preparatory communications , and a common key with any 

15 opposite party can be generated using the disclosed ID 
information of the opposite party together with 
characteristic secret parameters distributed beforehand 
from a center. Nevertheless, this scheme is subject to 
the following two problems. Firstly, the center must 

20 become a "big brother" (creating a key escrow system 
wherein the center holds the secrets of all of the 
entities). Secondly, there is a possibility that some 
number of entities could collude to compute the center 
secrets. In the face of this collusion problem, many 

25 innovative techniques have been devised to circumvent the 
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problem by way of computation volume, but a complete 
solution is very difficult. 

The difficulties of resolving this collusion problem 
arise from the fact that the secret parameters based on 
5 the ID information form dual structures comprising center 
secrets and personal secrets. With method 3, a 
cryptosystem is configured using the disclosed parameters 
of the center, the disclosed ID information of the 
individual entities , and the two types of secret 

10 parameters for the center and entities. Not only so, but 
it is necessary also to configure such that center 
secrets will not be revealed even if the entities compare 
the personal secrets distributed to each. Accordingly, 
there are many problems that must be resolved before this 

15 cryptosystem can be actually realized. 

SUMMARY OF THE INVENTION 

It is an object of the present invention to provide 
2 0 a secret key generation method, encryption method, and 
cryptographic communications method based on an ID-NIKS, 
wherewith specifying information (ID information) is 
divided into a plurality of portions, and all secret keys 
based on the divided specifying information are 
25 distributed to entities from each of a plurality of 
centers, whereby it is possible to minimize the 



mathematical structures, circumvent the collusion problem, 
and facilitate the construction of the cryptosystem. 

Another object of the present invention is to 
provide a secret key generation method, encryption method, 
5 and cryptographic communications method that are more 
highly resistant to random number substitution attack. 

According to a first aspect of the present invention, 
there is provided a secret key generation method for 
generating secret keys peculiar to entities that are to 

10 be sent from a center to the entities, characterized in 
that the secret keys peculiar to the entities are 
generated using divided specifying information resulting 
from the division of information specifying the entities. 
According to a second aspect of the present 

15 invention, there is provided an encryption method wherein 
secret keys peculiar to entities are sent to the entities 
from the center respectively, and an entity encrypts 
plaintext to ciphertext using a secret key peculiar to 
that entity sent from the center, characterized in that 

2 0 the secret keys peculiar to the entities are generated 
using divided specifying information resulting from the 
division of ! information specifying the entities, and 
plaintext is encrypted to ciphertext at one entity that 
is a ciphertext sender using a common key generated from 

25 a component contained in its own secret key, the 
component corresponding to the divided specifying 



information of another entity that is a destination of 
the ciphertext. 

According to a third aspect of the present invention, 
there is provided a cryptographic communications method 
5 for communicating information between entities, wherein 
one. entity encrypts plaintext to ciphertext using a first 
common key derived from a first secret key peculiar to 
that entity sent from a center and sends the ciphertext 
to another entity (recipient), and the recipient decrypts 

10 the ciphertext to the plaintext using a second common key 
identical to the first common key, the second common key 
being derived from a second secret key peculiar to the 
recipient sent from the center, characterized in that a 
plurality of the centers are deployed, each of the 

15 centers generates secret keys peculiar to the entities 
using divided specifying information resulting from the 
division of information specifying the entities, and each 
of the entities generates the common key using a 
component, contained in its own secret key, corresponding 

20 to the divided specifying information of an opposite 
entity. 

The reaison why the various cryptosystems based on 
entity specifying information proposed for the purpose of 
resolving the collusion problem have been unsuccessful 
25 lies in excessively seeking mathematical structures to 
provide innovative techniques for preventing center 



secrets from being deduced from entity collusion 
information. When the mathematical structures are too 
complex, the method of demonstrating safety becomes very 
difficult. In the present invention, therefore, the 
5 mathematical structures are held to a bare minimum by 
dividing entity specifying information into a plurality 
of portions and distributing all the secret keys for each 
of the divided specifying information to the entities. 

In the present invention, a plurality of centers are 

10 deployed, and each center generates a secret key 
corresponding to one unit ( or piece ) of divided 
specifying information for one entity* Accordingly, no 
single center holds all of the entity secrets and hence 
no center becomes a "big brother." Also, because the 

15 mathematical structures are held down to a minimum, 
circumvention of the collusion problem is easily realized 
and the cryptosystem is also simple to implement. 
Furthermore, the secret keys peculiar to one entity for 
that entity to generate a common key have been sent from 

20 the centers and are stored from the start in table form, 
wherefore the time required for common key generation can 
be significantly shortened. 

According to a fourth aspect of the present 
invention, there is provided a secret key generation 

25 method for generating secret keys specific to entities 
using divided specifying information resulting from the 



division of information specifying the entities into a 
plurality of blocks, characterized in that the secret key 
for a first block of divided specifying information has a 
multi-layer structure and each of the secret keys for the 
5 remaining blocks of divided specifying information has a 
s ingle-layer structure • 

According to a fifth aspect of the present invention, 
there is provided an encryption method wherein secret 
keys peculiar to entities are generated using divided 

10 specifying information resulting from the division of 
information specifying the entities into a plurality of 
blocks, plaintext is encrypted to ciphertext using a 
common key generated us ing a component , contained in the 
secret key, corresponding to the divided specifying 

15 information for an opposite entity to which the 
ciphertext is to be sent, characterized in that the 
secret key for a first block of divided specifying 
information has a multi-layer structure, and each of the 
secret keys for the remaining blocks of divided 

2 0 specifying information has a single-layer structure. 

According to a sixth aspect of the present invention, 
there is provided a cryptographic communications method 
for communicating information between entities, wherein a 
plurality of centers are deployed, each of which 

25 generates secret keys peculiar to the entities using 
divided specifying information resulting from the 



division of information specifying the entities into a 
plurality of blocks, one entity generates a first common 
key using a first component contained in secret keys 
peculiar to that entity sent from the centers and 
5 corresponding to the divided specifying information of 
another entity (recipient) , encrypts plaintext to 
ciphertext using the first common key, and sends the 
ciphertext to the recipient, the recipient generates a 
second common key identical to the first common key, 

10 using a second component contained in secret keys 
peculiar to the recipient sent from the centers and 
corresponding to the divided specifying information of 
the ciphertext sender, and decrypts the ciphertext to the 
original plaintext using the second common key, the 

15 secret key for a first block of divided specifying 
information has a multi-layer structure, and the secret 
keys for the remaining blocks of divided specifying 
information have a single-layer structure. 

The present invention is configured in such a manner 

20 that the common key can only be derived after the 
computation for all blocks is complete, and a divided 
block of information specifying a specific entity cannot 
be attacked independently, whereupon random number 
substitution attack can be circumvented. 

25 The term " recording medium" or " computer usable (or 

readable) medium" in this specification includes any 



physical object in which a program to be executed by CPU 
or the like is stored. For example , the " recording 
medium" includes a floppy disc , CD-ROM, hard disk drive , 
ROM, RAM, optical recording medium such as DVD, photo- 
5 magnetic recording medium such as MO, magnetic recording 
medium such as magnetic tape, and semiconductor memory 
such as IC card and miniature card. A data signal 
embodied in a carrier wave may be the computer readable 
medium. 

10 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 illustrates a model diagram representing the 
15 configuration of a cryptographic communications system of 
the present invention; 

Fig. 2 illustrates a model diagram representing an 
example of entity ID vector division; 

Fig. 3 illustrates a model diagram showing how 
20 information is communicated between two entities; 

Fig. 4 is a diagram representing the configuration 
of another cryptographic communications system' according 
to the present invention; 

Fig. 5 depicts another example of entity ID vector 
2 5 division; 
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Fig. 6 is a diagram showing how information is 
communicated between two entities; and 

Fig. 7 is a diagram showing the configuration of a 
recording media. 

5 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Embodiments of the present invention are now 

10 described. 

Fig. 1 is a model diagram representing the 
configuration of an cryptographic communications system 
of the present invention. A plurality of centers 1 (K in 
number) which can be trusted to maintain information 

15 confidentiality are established. These centers 1 may be 
public institutions in a society, for example. The 
deployment of the plurality of centers 1 is the point of 
difference with the conventional third method. 

These centers 1 are connected to a plurality of 

20 entities a, b, z that are the users employing this 

cryptosystem by secret channels (communication paths) 2 ai , 
2aK* 2bif .../' 2bK/ ••♦f 2 z i, •••/ 2 zK . Secret information 
is sent from the centers 1 via these secret communication 
paths to the entities a, b, . .., z. Communication paths 

25 3ab, 3az, 3bz, etc., are also provided between pairs of 
entities. Ciphertext obtained by encrypting 

12 
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15 



20 



communications information is sent back and forth between 
entities via these communication paths 3ab, 3az, 3bz, etc, 
1st Embodiment : 

A first embodiment that is a basic scheme of the 
present invention is described first. 

Preparatory processing at centers 1: 

The centers 1 prepare public keys and secret keys as 
follows and disclose the public keys. 

Public key P Large prime number 

L Size of ID vector (L = KM) 
K Number of ID vector division 
blocks 

M Size of divided ID vector 
g GF (P) primitive element 
Hj Symmetrical 2 M x 2 M matrix formed 
of random numbers 
(j - 1, 2, K) 
Personal secret random number of 



Secret key 



a 



OCiK 



25 



entity i (where ano^ . 
(mod P - 1 ) ) 

ID vectors that are specifying information 
indicating the names and addresses of entities are made 
L-dimension binary vectors, and each of the ID vectors is 
divided into K blocks (each has a block size M) as 
diagrammed in Fig. 2. The ID vector for entity i (i.e. 
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vector Ii) , for example, is divided as indicated in 
formula 1 below. The vectors Iij (j = 1, 2, . .., K), that 
are divided specifying information, are called ID 
division vectors. 



(i) 7? = Su|J£|---|i£?] 



Entity registration processing: 

10 When each of the centers 1 is requested by an entity 

i for registration, K secret vectors sij (j = 1, 2, 
K) corresponding, respectively, to a prepared key and K 
ID division vectors for entity i are found according to 
formulas 2-1, 2-2, . .., 2-K, as represented below, the 

15 vectors Sij so found are sent to entity i in secret, and 
registration is complete. 

(2-1) Slf = g <*iiHi[l£] ( m od P) 



20 



25 



( 2-2 ) 5^ = a i2 H 2 [Iu] (mod P - 1) 



(2-K) = oc iK H K [I iK } (modP-1) 



However, when g is a scalar, and A and B are 
matrixes, the representation B = g A indicates that power 
multiplication on g is performed for each component (^t, 
v) of A. In other words, the result is as given in 
30 formula 3 below. The representation Hj [vector Iij] 
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indicates that one row corresponding to the vector Iij is 
extracted from the symmetrical matrix H j , and the [ • ] 
operation is also defined for reference. 

5 ( 3 ) Bp* = g A ^ 

Processing for generating common keys between 
entities : 

10 Entity i selects from its own secret key vectors sn 

a vector sn [vector I m i] of the component corresponding to 
vector I m i that is the ID division vector of entity m, and 
also selects from among the secret key vectors sij for 
each of the blocks j (j = 2, . K) the vector sj.j 

15 [vector I m j ] of the component corresponding to the vector 
I m j • Then, entity i sequentially power-multiplies all of 
the vectors Sij [vector I mj ] (j = 2, . .., K) except for the 
vector Sn [vector I m i], with modulo P and the vector sn 
[vector I m i] as the base, thereby deriving the common key 

2 0 Ki m . The computation formula for finding this Ki m 
specifically becomes formula 4 below. This Ki ra coincides 
with the common key K m i derived at the entity m end* 



25 



(4) Kim = 5if[/mi] 



= g<xh,-a±K-Hi[Ii L ][I m ^--H K [IiK][ImK\ 



= a i/i[Iii][/ m i] ■ -^KlIiKlImK] (mod P) 

3 0 y 
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Next, the communication of information between 
entities in the cryptosystem described above is described* 
Fig. 3 illustrates information communicated between two 
entities a and b. In the example diagrammed in Fig* 3, 
5 entity a encrypts a plaintext (message) M to a ciphertext 
C which it sends to entity b, and entity b decrypts that 
ciphertext C back to the original plaintext (message) M. 

A secret key generator la is provided at the j'th 
center 1 (where j = 1, 2, . .., K) for deriving the 

10 vectors s a j and s b j (secret keys) peculiar to the entities 
a and b, respectively, following formula 2-j given 
earlier. Then, when a request for registration is 
tendered from the entities a and b, the secret key 
vectors s a j and s b j for those entities a and b are sent to 

15 the entities a and b. 

Entity a is provided with a memory 10 for storing, 
in tabular form, the characteristic secret key vectors 
Sai, s a j, s aK sent from the K centers 1, a 

component selector 11 for selecting from among those 

20 secret key vectors the vector s ai [vector I b i], •••/ vector 
Saj [vector I b j] — / vector s aK [vector I bK ] for the 
components corresponding to entity b, a common key 
generator 12 for generating the common key K ab with entity 
b sought by entity a using those components selected, and 

25 an encryptor 13 for encrypting the plaintext (message) M 
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to the ciphertext C using that common key K ab and 
outputting it over the communication path 30. 

Entity b, meanwhile , is provided with a memory 20 
for storing, in tabular form, the characteristic secret 
5 key vectors s b i/ •••/ s b j, s bK sent from the centers 1, 

a cpmponent selector 21 for selecting from among those 
secret key vectors the vector s bi [vector I a i], • ••/ vector 
s b j [vector I a j]/ vector s bK [vector I aK ] for the 

components corresponding to entity a, a common key 

10 generator 2 2 for generating the common key K ba with entity 
a sought for by entity b using those components selected, 
and a decryptor 23 for decrypting the ciphertext C input 
from the communication path 30 to the plaintext (message) 
M using that common key K ba and outputting it. 

15 When information is to be sent from entity a to 

entity b, first, the secret key vectors s ai , s a2 , s a K 
pre-stored in the memory 10 after being derived according 
to the formulas 2-1, 2-2, . .., 2-K at the centers 1 are 
read out to the component selector 11. Then, the 

20 component selector 11 selects the vector s a i [vector I bi ], 
vector Sa2 [vector I b2 ], and vector s aK [vector I bK ] 

that are the; components corresponding to entity b, and 
sends them to the common key generator 12. The common 
key generator 12 uses these components to derive the 

25 common key K ab according to formula 4, and sends that 
common key K a b to the encryptor 13. With the encryptor 13, 



this common key K a b is used to encrypt the plaintext 
(message) M to the ciphertext C and the ciphertext C is 
sent via the communication path 30. 

The ciphertext C sent over the communication path 3 0 
5 is input to the decryptor 23 of entity b. The secret key 
vectors s b i, s b2 , . s b K derived according to formulas 2- 

1, 2-2, , 2-K at the centers 1 and prestored in the 

memory 20 are read out to the component selector 21. 
Then, the component selector 21 selects the vector s b i 

10 [vector I a i], vector s b2 [vector I a2 ] r •••r vector s bK 
[vector I aK ] that are components corresponding to entity a, 
and sends them to the common key generator 22. The 
common key generator 22 uses these components to derive 
the common key K ba according to formula 4 and sends this 

15 common key K ba to the decryptor 23. The decryptor 23 uses 
the common key K ba to decrypt the ciphertext C to the 
plaintext (message) M. 

In the scheme of the present invention, the secret 
key vectors peculiar to the entities are stored 

20 beforehand in the memories of the entities so that a 
shorter time is required to generate the common keys . 

The safety provided by the scheme of the present 
invention is now discussed. 

It is known that one of the conditions necessary to 

25 a safe ID-NIKS is the inability of separating the secret 
key generating functions and key sharing functions in 

18 



polynomial time, A fact that the scheme of the present 
invention satisfies this necessary condition is described 
below. 

Secret key generating function: 
5 The scheme of the present invention has a total of K 

secret key generating functions as indicated in formulas 
5 and 6 below. 



10 



20 



30 



(5) fi&) = g«* H ^ (i=D 

(6) 



15 If H is an arbitrary symmetrical matrix, then the 

referencing function [ * ] is clearly indivisible, as shown 
in formulas 7 and 8 below. 



(7) H& + t] ^ H&] + H[#] 

(8) 



25 Thus, the K secret key generating functions 

represented in formulas 5 and 6 are indivisible, as shown 
in formula 9 below. 



( 9 > ■ fj& + V) * fj&) o fjCtf) U = 1,2 K) 

Key sharing function: 

The key sharing function in the scheme of the 
present invention is represented in formula 10 below. 
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5 As in the case of the secret key generating 

functions, the key sharing function represented in 
formula 10 is indivisible, as shown in formula 11 below. 

(11) T(7t, ^ + V) ^ "£) o Tilt. J?) 

10 

Attacks for breaking cryptosystems by the collusion 
of an indefinite number of entities (hereinafter "non- 
corrupting collusion") has been debated for quite some 

15 time. At the same time, attacks conducted by a smaller 
number of collaborators wherein only entities necessary 
for the attack are bought (hereinafter "corrupting 
collusion 11 ) are also effective if a certain individual is 
the only target. The safety of the scheme of the present 

20 invention against such corrupting and non-corrupting 
collusions is now considered. 

Safety against non-corrupting collusion: 
In cases where it is possible to represent the ID 
vector of any entity by a linear combination of 

25 collaborator ID vectors (combination attack) and either 
the secret !key generating function or key sharing 
function is divisible in polynomial time, it is possible 
to counterfeit the secret keys of other entities from the 
secret keys of the collaborators (separation attack). 

3 0 Such an attack is known as a linear attack. 

20 



In the scheme of the present invention, the ID 
vector of any entity can be represented as a linear 
combination by using the ID vectors of L collaborators 
who are linearly independent . That is, a combination 
5 attack by L or more entities is viable. However, because 
the: secret key generating functions and key sharing 
function are indivisible functions, as noted earlier, the 
secret key and common key of that entity cannot be 
counterfeited by a separation attack even in the unlikely 

10 case where a combination attack against any entity should 
become viable. Therefore the linear attack does not work 
with the scheme of the present invention. Accordingly, 
in the face of a non-corrupting collusion, the scheme of 
the present invention has a collusion threshold (minimum 

15 number of collaborators required for combination attack) 
that is far higher than L. 

Safety against corrupting collusion: 

In cases where an attack is made against the scheme 
of the present invention wherein a specific entity is 
20 targeted, a random number substitution attack like that 
described below is conceivable wherein all of the 
entities required for the attack are bought out and all 
of the secret keys of the bought-out entities are used. 

The situation is described in an example where the 
25 name is four Kanji characters (L = 4 x 16 = 64 bits) so 
that the entity ID is easy to understand and each Kanji 



character is treated as 1 block. In other words, it is 
assumed that K = 4 and M = 16. 

A case is now considered wherein the IDs of entities 
Z , A, B, C, and D are set as noted below, entities A, B, 
5 C, and D are bought out, and entity Z is attacked. 
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The secret key of entity Z is then given as follows. 

iit = 5 Q Zi^i[it] ( mo d P) 

iiJ = a Z2 H 2 [^\ (modP-1) 

15 «ij = a Z3 H 3 [M] (modP-1) 

iit = a Z 4H 4 [g] (modP-1) 



The collaborators make the following computations 
and counterfeit the secret key of entity Z. 
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3Zi 



'Z 3 



= s£ = p^i^iM (mod P) 

aB2#2[#][#] 



• -SJ53 = 



a M H 2 [#] (modP-1) 



«B2 



>c 3 



= a A3 H 3 [M] (modP-1) 



_ a A3 H 3 [M][S.] rg . 
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&Z4 



S£>4 = 



<xaaHa[&\ (mod P- 1) 



5 It may be seen here that the counterfeited vectors 

Szi" to s z4 " work in the same manner as the vectors s zl to 
s z4 , respectively. Hence the collusion attack is 
definitely viable against the scheme of the present 
invention in situations where it is possible to buy out 

10 enough entities to mount the attack. 

In order for this corrupting collusion attack to be 
viable, however, it is necessary to acquire the secret 
keys of a collaborator having exactly the same ID 
division vectors as the K number of ID division vectors 

15 of the entity targeted for attack. For some specific 
block, only one entity in 2 M entities has exactly the same 
ID division vectors. Buying all of the K blocks for this 
special entity, even assuming the values M = 10 and K = 
100, is hardly an easy task. Accordingly, the scheme of 

2 0 the present invention may be said to be safe against 
corrupting collusions. The parameters M and K can be 
suitably set according to the scale of the cryptosystem 
and/or to the degree of safety required. 

Now, in order to circumvent a random number 

25 substitution attack by corrupting collusion, it is only 
necessary to implement measures to prevent the division 



blocks from being independently attacked. In other words, 
it is only necessary to make it so that the random number 
terms disappear only after the computation of all of the 
blocks is complete. With this perspective, two 

5 embodiment are now described which represent improvements 
of the first embodiment. 
2nd Embodiment: 

Another example of the present invention (2nd 
embodiment) is now described which is made stronger 
10 against random number substitution attack by combining a 
random number elimination method. 

Preliminary processing at centers 1: 

As in the first embodiment, the centers 1 prepare 
public keys and secret keys as follows and disclose the 
15 public keys. 

Public key P Large prime number 

L Size of ID vector (L = KM) 
K Number of ID vector division 
blocks 

20 M Size of divided ID vector 

Secret key g GF (P) primitive element 

Hj Symmetrical 2 M x 2 M matrix formed 
of random numbers 
(j = 1, 2, K) 
25 oil Personal secret random number of 
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entity i 

(where anc^ . . . cciK = 1 
(mod P - 1) ) 

In order to employ the safety of RSA ciphers, P is 
5 set so that it is very difficult to factor P - 1 into 
prime numbers. To do that it is only necessary to use a 
prime number such that P = 2pq + 1 (where p and q are 
prime) . 

As in the first embodiment, the ID vector of each of 
10 the entities is divided into K blocks (ID division 
vectors) having a block size M (cf. Fig. 2 and formula 1). 

Furthermore, as indicated in formula 12 below, a 
hashing function h( * ) for generating a second ID vector vi 
of K-l dimension from the ID is disclosed by the centers 
15 1. The components of this second ID vector vi generated 
with the hashing function take positive integers, and it 
is assumed that the sum thereof is a comparatively small 
constant e as represented in formula 13 below. 

20 (12) 

= (v±2, v±3i . . . , v±k) = h(IDi) 
K 

(13) fri 

25 

Entity registration processing: 

When the centers 1 are requested by an entity i for 
registration, K secret vectors sij (j = 1, 2, K) 
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15 



corresponding, respectively, to a prepared key and K ID 
division vectors for entity i are found according to 
formulas 14-1, 14-2, 14-K, as represented below, the 

vectors sij so found are sent to entity i in secret, and 
registration is complete. 



(14-1) 
10 (14-2) 



3f 2 



= g°<i e Hi[hi) (mod P) 



(14-K) 



= aitf 2 Er i2 (modP-1) 
= aiH K [hZ] ViK (modP-1) 



Processing for generating common key between 
entities : 

Entity i uses the disclosed hashing function h ( * ) 
2 0 to derive the second ID vector for an opposite entity m f 
namely v m , according to formula 15 below* 

(15) V^i = (Vm2tVm3i--iV m Jc) = h { J D m) 

25 

Entity i selects from its own secret key vectors sn 
a vector sn [vector l ml ] of the component corresponding to 
vector I mi that is the ID division vector of entity m, and 
also selects from among the secret key vectors sij for the 
30 blocks j (j = 2, . . . , K ) the vector s ± j [vector I mj ] of the 
component corresponding to the vector I m j . Then, entity i 
sequentially performs power-multiplications , repeatedly 
for v m j times, on all the vectors sij [vector I m j ] (j = 
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2, K) except for vector Su [vector I m i], with modulo 

P and the vector sn [vector I m i] as the base, thereby- 
deriving the common key K im . The computation formula for 
finding this K im specifically becomes formula 16 below. 
5 This Ki m coincides with the common key K mi obtained by the 
entity m. 

(16) ^ _ ^^[^] Vwfl -.-3^[^] VmK 

Kim = ^iif^mi] 

_ <• e tt . ZT V ™2 zr v m K 

= fl ^lIliJ[miJ'<« 2tL 3][m2f a K^'Km K] ( mo d p) 



20 — 5> 

where [Iij] is abbreviated [ij] from the second 

equation on 

Safety against random number substitution attack: 
25 Generally, in actual examples of the aforementioned 

entities A and B, we will have v A 2 * v B 2/ so that as shown 
below in formula 17, the random number substitution 
attack is not viable. 



30 (17) Szl = v. ■ . • SB: 

Sialyl 
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£ a A Hi[#] (mod P - 1) 
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3rd Embodiment: 

Another example (third embodiment) of the present 
invention is now described wherewith the personal random 
number elimination process is rendered complex by the 
addition of a constant term. 

Preliminary processing at centers 1: 

As in the first embodiment, the centers 1 prepare 
public keys and secret keys as follows and disclose the 
public keys . 

N N = PQ (where P and Q are large 

prime numbers ) 
L Size of ID vector (L = KM) 
K Number of ID vector division 



Public key 



Secret key 



M 

g 

Hi 



a 



ID 



blocks 

Size of divided ID vector 
Maximum generating element with 
modulo N 

Symmetrical 2 M x 2 M matrix formed 
of random numbers 
(j = 1, 2, K) 

Personal secret random number of 
entity i 

where audi ai K = 1 (mod X (N) ) 
and X( * ) is Carmichael function 
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Also, as in the first embodiment, the ID vector of 
each entity is divided into K blocks (ID division 
vectors) having a block size of M (cf. Fig. 2 and formula 
5 1). 

Entity registration processing: 

When the centers 1 are requested by an entity i for 
registration, K secret vectors s±j (j = 1, 2, K-l, K) 

corresponding, respectively, to a prepared key and K ID 
10 division vectors for entity i are found according to 
formulas 18-1, 18-2, 18-K-l, 18-K, as represented 

below. 



15 



20 



< 18 - X > «t = g^Hil**] (modN) 

5^ = »i^2[S]+ Pit 

(18-2) 



&i,K-l — OtiHK-l[Ii t K-i] + Pi,K-l 



(18-K-l) 

25 (18-K) = ^iK^Kihi] 

The third embodiment further adds K-2 personal 
random numbers pi 2 , • Pi,K-i to the first embodiment 

3 0 wherein cti 2 = ... ctj., K -i ~ a i anc * cxnai cti K = 1 (mod X(N) ) . 
The centers 1 derive the vectors t± according to formula 
19 below. It should be assumed here that pi = p i2 + ••• + 
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pi,K-i* The derived vectors s±j and ti are sent to entity i 
in secret and registration is complete. 



(19) IT ~ g-<*iiHi[Iii]0i (modN) 



Processing for generating common key between 
entities : 

Entity i first, from the secret key vectors Sij for 
10 the blocks j (j = 2, . K-l), selects column vectors Sij 
[vectors I m j] corresponding to the vectors I m j that are the 
ID division vectors of entity m, block by block, and 
finds the sum S im thereof by formula 2 0 below. 

15 (20) c - V^T+rr^i 

*->im — / J s ij\. J 'mj\ 
i=2 
K-l 

20 i=2 

Entity i, from among the secret key vector su for 
its own first block and the secret key vector s iK for the 
last block, selects the column corresponding to the 

25 vectors I mj that are the ID division vectors of entity m, 
and performs the calculation shown below in formula 21 
using s im and vectors ti to derive the common key K im . 
This Ki m coincides with the common key K m i derived by 
entity m. 



(21) K± m = {ti[I m i]-sg[Imi] J 

K-l 

oriiociaiK-i^ijiijimi] ( ^ ^ ^jtijK™jO^ A 'ti K H™*0 

= 9 
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i=2 



^l[il][ml] ( ^ H j\ij][mj}) H K[ i K][mK] 

= 9 J=2 (modN) 



where [Iij] is abbreviated [ij] from the second 
equation on 

10 

Safety considerations: 

In this formula, if settings are made as in formula 
22 below, the expression Ki m = x im2 x im3 . . . x im , K -i will 
result, and, by gathering together numerous formulas 
15 wherein Xi m2 , Xi m3 , . .., Xi m , K -i are variables, it is 
theoretically possible to counterfeit keys. 

(22) X±m2 = 5 ^l[il][ml3^2[i2][m2l^K(iK'J[mA'] 

Xi m3 = g H l[U}[ml]H*lV}[m&lHK[iK}lmK) 
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X im K-l ~ ^^l[il][ml]^K-l[i,K-lKm,K-l]^KEiK-][mK'] 



However, with the scheme of the present invention, 
the mathematical structures are held down to a minimum, 

3 0 and there is no structure in their variables that is 
separable, whereupon it becomes necessary to attack all 
of these variables as independent variables, thus 
requiring an extremely enormous number of collaborators. 
Even if the final block is susceptible to elimination by 

3 5 a random number substitution attack, the terms expressed 
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in formula 22 must be attacked as independent variables. 
Thus, in the case where M = 10, for example, it becomes 
necessary to amass 2 20 specific equations in order to 
attack, so safety is enhanced. 
5 Although the third embodiment pertains to a case 

wherein a composite number N difficult of prime factoring 
is used as the modulus, the same thing can of course be 
done in the case where N = P. 
4th Embodiment: 

10 Fig. 4 is a model diagram showing the configuration 

of a cryptographic communications system of the present 
invention. A plurality (K) of centers 1 which can be 
trusted to maintain information confidentiality are 
established. These centers 1 may be public institutions 

15 in a society, for example. 

These centers 1 and a plurality of entities a, 
b, z that are users of this cryptosystem are 

connected by secret communication paths 2 al , 2 aK , 
2 b i, ••-/ 2 hK , 2 2 i, 2 zK . Thus secret key 

20 information can be sent to the entities a, b, z from 

the centers 1 via the secret communication paths . 
Communication paths 3ab, 3az, 3bz, etc., are also 
deployed between pairs of entities so that ciphertext 
resulting from encrypting communications information can 

2 5 be sent back and forth between entities via those 
communication paths 3ab, 3az, 3bz, etc. 
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Secret key 



Preparatory processing at centers 1: 

The centers 1 prepare public keys and secret keys as 
shown below, and discloses the public keys* 
Public key N N = PQ 

K Number of ID vector division 
blocks 

Mj Size of divided ID vector (where 

j = 1, 2, . . . , K) 
L Size of ID vector (L = Mi + M 2 + 

... + M K ) 

T Degree of exponent portion 
P,Q Large prime numbers 
g Maximum generating element with 

modulo N 
Hj Symmetrical 2 Mj x 2 Mj matrix 

formed of random numbers 
cci Personal secret random number of 
entity i 

(where gcd (oti, M N )) - 1 and 
X( * ) is Carmichael function) 
pij Personal secret random number of 
entity i (where pn + p i2 + ... + 
PiK = X(N)) 

It should be assumed that ID vectors that are 
specifying information indicating the names and addresses 
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of entities are L-dimension binary vectors, and each of 
their ID vectors is divided into K blocks (block sizes 
are Mi, M 2 , M K ), as diagrammed in Fig. 5. The ID 

vector for entity i (i.e. vector Ii), for example, is 
divided as indicated in formula 23 below. The vectors Iij 
(j = 1, 2, K), that are divided specifying 

information, are called ID division vectors. 

( 23 > t = [ii\iZ\---\i£] 



Entity registration processing: 

When the centers 1 are requested by an entity i for 
registration, K secret key vectors Sij (j = 1, 2, K) 
15 corresponding, respectively, to a prepared key and K ID 
division vectors for entity i are calculated according to 
formulas 24-1, 24-2, 24- j, 24-K below. 



(24-2) 

(24-j) Jj = aiffj^ + faj^ 

3 0 (24-K) ^ " <xi H K\hK] + /3iK~** 

Vector 1 represents a vector of K dimension wherein 
all of the components are 1. The representation Hj 
35 [vector Iij] indicates a row, corresponding to the vector 
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Iij, extracted from the symmetrical matrix Hj, and the [•] 
operation is also defined for reference. 

Next, for the 1st block, T + 1 secret key vectors g it 
(t = 0, 1, 2, . .., T) are calculated according to 
formulas 25-0, 25-1, 25-2, 25-t, . .., 25-T below. 



(25-0) 5£ ~ (mod TV) 



(25-1) g£ = g a i T *£ (mod N) 



(25-2) g£ = g a i (mod N) 

== g<XL T (*£)* (mod N) 



(25-t) 



(25 " T) 9$ = g°£ T &) T (mod AO 

It should be assumed that when c is a scalar and A 
and B indicated in formulas 26 and 27 are matrixes, the 
expressions b — c A and B = <A> C correspond to formulas 2 8 
and 29, respectively. 

(26) A = (ap„) 

(27) B = (b MU ) 

(28) bp* = c a ^ v 

(29) h — a c 



One of the centers 1 sends the T + 1 secret key 
vectors g it (t = 0, 1, 2, . .., T) relating to 1st block to 
entities i in secret, while the remaining ( K — 1) centers 
1 send K - 1 secret key vectors Sij (j = 2, 3, . K) 
5 relating to the blocks from the second to the last to 
entities i in secret. 

Processing for generating common key between 
entities : 

Entity i, for the 1st block, selects from its own T 
10 +1 secret key vectors g it a vector git [vector I m i] of the 
component corresponding to vector I m i that is the ID 
division vector of entity m. The vectors selected are 
represented below in formulas 30-0, 30-1, 30-t, 
30-T* 

(30-0) g Qim = g£[Imi] 

(30-1) 9lhn — g£[Irn\] 

20 ; 

(^"t) 9tim = fl&imtj 

25 i 

(30-T) g Tim = ^[J^t] 

Next, entity i, for the blocks 2, 3, — , K for j = 
30 2, 3, K, selects, from its own secret key vectors s ijf 

vectors Sij [ vectors I mj ] of the components corresponding 
to vectors I m j that are the ID division vectors of entity 
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m, block by block. The vectors selected are represented 
below in formulas 31-2, . .., 31-J, . 31-K. 

(31-2) x 2im = 

(31 j ) %jim = &ij [I mj ] 

(31-K) , x Kim = «LRf[Jmir] 

Then, the sum y im for all of these is found on the 
integer ring as in formula 32 below. 

K 

( 32 > Vim = ^2 x jim 

And, by performing calculation as in formula 33 
below, with modulo N, the common key K im is derived. In 
the calculation in this formula 33, by completing the 
calculations for all of the blocks, the personal secret 
random number ai is eliminated by multiplication by the 
inverse element thereof, and the personal secret random 
numbers (3ij, which are K in number, are eliminated by 
additions therefor. This K im coincides with the common 
key K mi derived by entity m. 

(33) ~~ A 1 ^tirn 

* ' t=0 

= g t=0 

= g<Xi T { x Um + Vim) 7 

= a ar T (xii m H \-x K i rn ) T 



= g a I r ( aiH i + Ai + • • • + a L H K + Plk) t 

af T | ai (Hx + ■■■ + H K [&2][I^]) + X(N) \ 

af T {«i(^i[iit][imt] + • • • + H K [l£}{I^})\ 
= 9 1 J 

= 5 (^i[S][Jmt] + ■ • • + H K [I&][I^S]) T ( mod at) 

In the formula above we assumed x lim = vector s n 
[vector Inn], but this is not even known to entity i 
itself. Also, because T is a comparatively small number, 
the exponent portion can be calculated by successively 
and repeatedly performing power multiplication. 

In the example described in the foregoing, the size 
Mj of the blocks may be constant for all blocks or, 
alternatively, some or all of the blocks may have 
different sizes. However, the secret key vector g it is 
derived in relation to the 1st block, wherefore, when 
that size is made constant for all blocks, the secret 
becomes large for the 1st block. Thus, it is better to 
make the size of the 1st block smaller than the sizes of 
the other blocks. When Mi = 1, in particular, the secrets 
distributed can be minimized and safety most enhanced. 

Let us now consider the safety of the present 
invention against a collusive attack such as an attack 
against the whole cryptosystem by the collusion of a 
large indefinite number of entities. If the total number 
of entities is 1 million, then 1000000 ^ 2 20 , wherefore Mj 
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= 1 and K = 20. If T = 32, then the number of exponent 
portion terms in the common key K im becomes 20H32 = 51C32 ^ 
4.85 x 10 13 . This number of terms exceeds the total 
number of keys shared between all entities, namely 1000000C2 
~ 5 x 10 12 . Accordingly the condition that number of 
terms > total number of shared keys is satisfied and 
safety against collusive attack is realized. 

The communication of information between entities in 
the cryptosystem described in the foregoing is described 
next. Fig. 6 is a model diagram showing how information 
is communicated between two entities a and b. In the 
example diagrammed in Fig. 6, entity a encrypts a 
plaintext (message) M to the ciphertext C which it sends 
to entity b, and entity b decrypts that ciphertext C back 
to the original plaintext (message) M. 

The first of the centers 1 is equipped with a secret 
key generator la which computes secret key vectors s ai and 
Sbi peculiar to the entities a and b, and the secret key 
vectors g a t and g b t (t = 0, 1, 2, . .., T) numbering T + 1, 
according to the formulas 24-1, 25-0, 25-T given 

earlier. Then, when registration requests are made by 
the entities a and b, the secret key vectors g at and g bt 
for those entities a and b are sent to the entities a and 



The j'th center 1 (where j = 2, 3, K) is 

equipped with a secret key generator la for computing the 
secret key vectors s aj and s b j peculiar to the entities a 
and b according to the formulas 24-2 , . .., 24-K given 
earlier. When registration requests are made by the 
entities a and b, the secret key vectors s aj and s bj for 
those entities a and b are sent to the entities a and b. 

Entity a is provided with a memory 10 for storing, 
in tabular form, the secret key vectors g at (t = 0, 1, 
2, T) and s aj (j = 2, 3, . .., K) sent from the 

centers 1, a component selector 11 for selecting from 
among those secret key vectors the vector g at [vector i bl ] 

(t = 0, 1, 2, , T) and the vector s aj [vector I bj ] (j = 

2, 3, . K ) for the components corresponding to entity 

b, a common key generator 12 for generating the common 
key K ab with entity b derived by entity a using those 
components selected, and an encryptor 13 for encrypting 
the plaintext (message) M to the ciphertext C using the 
common key K ab and outputting it over the channel 30. 

Entity b is provided with a memory 2 0 for storing, 
in tabular form, the secret key vectors g bt (t = 0, 1, 

2, T) and s bj (j = 2, 3, K) sent from the 
centers 1, a component selector 21 for selecting from 
among the secret key vectors the vector g bt [vector I a i] (t 
= 0, 1, 2, , T) and the vector s bj [vector l aj ] (j = 2, 

3, K) for the components corresponding to entity a, 
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a common key generator 22 for generating the common key 
K ba with entity a derived by entity b using those 
components selected, and a decryptor 23 for decrypting 
the ciphertext C input from the channel 3 0 to the 
plaintext M using the common key K ba and outputting it. 

When information is to be sent from entity a to 
entity b, first, the secret key vectors g a t (t = 0, 1, 
2, . .., T) and s aj (j = 2, 3, . . . , K) pre-stored in the 
memory 10 after being derived at the centers 1 are read 
out to the component selector 11. The component selector 
11 then selects the vector g at [vector I b i] (t = 0, 1, 

2, , T) and the vector s a j [vector I b j ] (j = 2, 3, 

K) that are the components corresponding to entity b and 
sends them to the common key generator 12. The common 
key generator 12 uses these components to derive the 
common key K ab according to formula 33 , and sends the 
common key K ab to the encryptor 13- The encryptor 13 
utilizes this common key K ab to encrypt the plaintext M to 
the ciphertext C and sends the ciphertext C via the 
channel 30. 

The ciphertext C sent over the channel 30 is input 
to the decryptor 23 of entity b. The secret key vectors 
s bj (j = 2, 3, . .., K) and g bt (t = 0, 1, 2, T) 
derived at the centers 1 and prestored in the memory 20 
are read out to the component selector 21 . Then, the 
component selector 21 selects the vector g bt [vector I a i] 



(t = 0, 1, 2, . .., T ) and the vector s bj [vector l aj ] (j = 
2, 3, . K) that are components corresponding to entity 
a and sends them to the common key generator 22. The 
common key generator 22 uses these components to derive 
5 the common key K ba according to formula 33 and sends this 
common key to the decryptor 23. The decryptor 23 uses 
the common key K ba to decrypt the ciphertext C to the 
plaintext M. 

In the above-described example, centers are deployed 

10 in a plurality, and these centers generate a plurality of 
keys corresponding to a plurality of units (pieces) of 
entity ID information respectively. In other words, each 
center generates a key for a certain segment of entity ID 
information. Therefore no single center can hold all 

15 entity secrets, and the centers cannot become "big 
brothers." Also, the secret key vectors peculiar to the 
respective entities are stored beforehand in the memories 
of the entities, so the time required for generating 
common keys can be shortened. 

20 Fig. 7 is a conf igurational diagram of an embodiment 

of recording media according to the present invention. 
The program exemplified here, which is recorded on 
recording media described below, comprises processes for 
selecting components corresponding to entity m from among 

2 5 the secret key vectors sij and g it sent to entity i from 
the centers and processes for finding a common key K im 
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using those components so selected. A computer 40 is 
provided at each entity. 

In Fig. 7, a recording medium 41 that connects the 
computer 40 online employs a WWW (world wide web) server 
5 computer, for example, located remotely from the site 
where the computer 40 is installed. A program 41a such 
as that described above is recorded on the recording 
medium 41. The program 41a read out from the recording 
medium 41 controls the computer 40 and thereby computes 

10 common keys at the entities for other entities to be 
communicated with. 

A recording medium 42 provided internally in the 
computer 40 is a built-in hard disk drive or ROM, for 
example, and a program 4 2a as described above is recorded 

15 on the recording medium 42. The program 42a read out 
from the recording medium 42 controls the computer 40 and 
thereby computes common keys at the entities for other 
entities to be communicated with. 

A recording medium 43 loaded in a disk drive 4 0a of 

20 the computer 40 is a portable optical-magnetic disk, CD- 
ROM, or flexible disk, etc. A program 43a such as 
described above is recorded on the recording medium 43. 
The program 43a retrieved from the recording medium 43 
controls the computer 4 0 and thereby computes common keys 

25 at the entities for other entities to be communicated 
with. 



With the present invention, as described in the 
foregoing, entity ID information is divided into a 
plurality of segments or pieces and a plurality of 
centers are established for these entity ID information 
5 pieces respectively such that each of the centers 
generates a particular key for a particular piece of 
entity ID information. Therefore, no single center can 
grasp all entity secrets or can become a "big brother." 
In addition, the mathematical structures are held down to 
10 a minimum, so that it is easy both to effectively 
circumvent the collusion problem and to implement the 
cryptosystem. Furthermore, because the entities are in 
possession beforehand of secret keys peculiar thereto, 
the time required for generating common keys can be 
15 significantly shortened. 

With an ID-NIKS based on the third conventional 
method described earlier, in general, L x L symmetrical 
matrixes are center secrets, and a portion of that 
information is treated as a vector comprising L 
20 components and distributed to the entities. This scheme 
is very easy to implement but the collusion threshold is 
no more than approximately L. With the scheme of the 
present invention, on the other hand, a collusion 
threshold can be obtained which is far greater than L. 
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With the conventional scheme, by employing 2 M x 2 M 
center secret matrixes, it is possible to configure an 
ID-NIKS having the same level of collusion threshold as 
the present invention. An ID-NIKS configured in such 
5 manner is not practical, however, because it requires 2 M 
product computations or power-multiplication computations 
for key sharing. Another problem with such an ID-NIKS is 
that almost all schemes are divisible so that secret keys 
can be counterfeited for entities expressed by the linear 

10 combination of some collaborators. With the scheme of 
the present invention, on the other hand, the number of 
secret keys held becomes more numerous, but the common 
keys can be shared by making K-l power-multiplication 
computations, at most, key generation can be done at very 

15 high speed, and, even though some entities might be 
expressed by the linear combination of collaborators, it 
is still possible to prevent the counterfeiting of secret 
keys for those entities . 

With the present invention, moreover, the random 

20 number terms are eliminated only after all blocks have 
been completely computed, wherefore divided blocks cannot 
be independently attacked and it is possible to 
circumvent random number substitution attack. 

The above illustrated and described secret key 

25 generation method, encryption method, cryptographic 
communications method, common key generator, 



cryptographic communications system, and recording media 
are disclosed in Japanese Patent Application Nos. 11- 
16257 and 11-59049 filed on January 25, 1999 and March 5, 
1999 respectively, the instant application claims 
priority of these Japanese Applications, and the entire 
disclosure thereof is herein incorporated by reference. 
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CLAIMS 



What Is Claimed Is: 

1. A secret key generation method for generating 
secret keys to be sent from a center to entities , 
comprising the step of: 

generating said secret keys peculiar to said 
entities using pieces of information resulting from 
division of information specifying each of said entities- 

2. An encryption method for use in a system in 
which a center sends to entities secret keys peculiar to 
the entities respectively, and each entity uses a secret 
key peculiar to itself that has been sent from the center 
when it encrypts plaintext to ciphertext, the encryption 
method comprising the steps of: 

generating said secret keys peculiar to said 
entities using pieces of information resulting from 
division of information specifying each of said entities; 
and 

encrypting plaintext to ciphertext using a common 
key generated using a component contained in the secret 
key peculiar to an entity that is a sender of the 
ciphertext, the component corresponding to one or more 



pieces of information specifying another entity that is a 
destination of the ciphertext. 

3. A cryptographic communications method for 
5 communications of information between entities wherein a 
plurality of centers are provided, each of which 
generates secret keys peculiar to the entities using 
divided pieces of information resulting from division of 
information specifying each of the entities; one entity 
10 generates a first common key using a first component 
contained in secret keys peculiar to the one entity sent 
from the centers, encrypts plaintext to ciphertext using 
the first common key and sends the ciphertext to another 
entity, the first component corresponding to one or more 
15 of the divided pieces of information specifying said 
another entity; and said another entity generates a 
second common key identical to the first common key using 
a second component contained in secret keys peculiar to 
the another entity sent from said centers, and decrypts 
20 said ciphertext to the original plaintext using the 
second common key, the second component corresponding to 
one or more of the divided pieces of information 
specifying the one entity. 

25 4. A cryptographic communications method for 

communicating information between entities wherein: 

48 



secret keys peculiar to said entities are sent from 
a center to said entities; 

one entity encrypts plaintext to ciphertext using a 
first common key derived from a first secret key peculiar 
5 to the one entity sent from said center and sends the 
ciphertext to another entity; 

said another entity decrypts said ciphertext to the 
original plaintext using a second common key identical to 
the first common key, the second common key being derived 
10 from a second secret key peculiar to said another entity 
sent from said center, characterized in that; 
a plurality of said centers are deployed; 
each of said plurality of centers generates secret 
keys peculiar to said entities by adding random numbers 
15 peculiar to said entities to divided pieces of 
information resulting from division of information 
specifying each of said entities; and 

each of said entities generates a common key using a 
component, contained in the secret key peculiar to that 
20 selfsame entity, corresponding to one or more of the 
divided pieces of information specifying an opposite 
entity. 



5 . The cryptographic communications method 
25 according to claim 4, wherein computation formulas for 
generating secret keys at said centers are as follows: 
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S7^= g «iiHi n u 3 (mo d p) 
"S~T=a i2 H 2 ihT~] (mod P-l) 

i 
i 
i 
i 

5 ~S7Z=a iK U K [7~S (mod P-l) 

where 

vector sij is a secret key corresponding to j'th 
piece of divided information specifying 
10 entity i (j = 1, 2, . . . , K) 

[vector Iij] is j'th piece of divided information 
specifying entity i; 
P is a prime number; 

K is number of divisions in the information 
15 specifying entity i; 

g is primitive element for GF (P); 

Hj is a symmetrical 2 M x 2 M matrix made up of 

random numbers; 
M is size of divisions in the information 
20 specifying entity i; and 

otij is a personal secret random number for 

entity i (where an . . . ai K e 1 (mod P-l ) ) . 

6. The cryptographic communications method 
25 according to claim 5, wherein computation formulas for 
generating common keys at said entities are as follows: 
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K 



^ ^ ^ ^ 

im — &\\ L l ml J 



sg H ' n » ] «J-HkCi.J Ci J (mod P) 

where 

5 K im is common key generated by one entity i for 

another entity m; and 
vector Sij [vector Iij] is a component contained 
in secret key vector of entity i, 
corresponding to divided piece of 
10 information specifying entity m. 

7 . A common key generator provided at entities in 
a cryptographic communications system for generating 
common keys to be used in processing to encrypt plaintext 

15 into ciphertext and in processing to decrypt ciphertext 
into plaintext, comprising: 

storage means at each entity for storing secret keys 
peculiar to each respective entity produced for 
respective pieces of information resulting from division 

20 of information specifying each of said respective 
entities; 

selection means for selecting . components 
corresponding to pieces of information specifying 
opposite entities to be communicated with, from among the 
25 secret keys stored; and 
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means for generating said common keys using said 
components so selected. 

8 . A cryptographic communications system for 
5 reciprocally performing, between a plurality of entities, 
encrypting processing for encrypting plaintext that is 
information to be sent into ciphertext and decrypting 
processing for decrypting ciphertext so sent back into 
original plaintext; comprising: 
10 a plurality of centers that generate secret keys 

peculiar to said entities using pieces of information 
resulting from division of information specifying each of 
said entities and that sends said secret keys to said 
entities; and 

15 a plurality of entities each of which generates a 

common key employed mutually in said encryption and 
decryption processing when communicating with another 
entity, using a component contained in own secret key 
sent from the centers, the component corresponding to one 

20 or more pieces of information specifying said another 
entity* 

9 • A computer readable recording medium that 
stores a program that generates at entities involved in 
25 communications common keys used in processing to encrypt 
plaintext to ciphertext and in processing to decrypt said 
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ciphertext to said plaintext in a cryptographic 
communications system, comprising: 

first program code means for causing said computer 
to select a component corresponding to one or more of 
5 divided pieces of information specifying one entity from 
a secret key peculiar to another entity; and 

second program code means for causing said computer 
to generate said common keys using said components 
selected. 

10 

10* An encryption method comprising the steps of: 
generating a first secret key peculiar to ciphertext 
sending entity using first divided specifying information 
and a second secret key peculiar to ciphertext receiving 

15 entity using second divided specifying information, the 
first divided specifying information being obtained by 
dividing specifying information of the ciphertext sending 
entity into a plurality of blocks and the second divided 
specifying information being obtained by dividing 

20 specifying information of the ciphertext receiving entity 
into a plurality of blocks; 

generating a common key using a component contained 
in the first secret key, the component corresponding to 
second divided specifying information of the ciphertext 

25 receiving entity, the common key having a structure of at 
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least three layers and an exponent portion of the common 
key having a multi-layer structure; and 

encrypting plaintext to ciphertext using the common 

key . 

5 

11. A secret key generation method comprising the 
step of: 

generating secret keys peculiar to entities using 
divided specifying information resulting from division of 
10 information specifying said entities into a plurality of 
blocks ; and wherein 

secret key for a first block of divided specifying 
information has a multi-layer structure; and 

each of secret keys for remaining blocks of divided 
15 specifying information has a single-layer structure. 

12. An encryption method comprising the steps of: 
generating secret keys peculiar to entities using 

divided specifying information resulting from division of 
20 information specifying said entities into a plurality of 
blocks; and 

encrypting plaintext to ciphertext at one entity 
using a common key generated using a component contained 
in the secret key peculiar to the one entity, the 
25 component corresponding to divided specifying information 
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for another entity to which said ciphertext is to be sent, 
and wherein 

secret key for first block of divided specifying 
information has a multi-layer structure; and 
5 each of secret keys for remaining blocks of divided 

specifying information has a single-layer structure. 

13, A cryptographic communications method for 
communications of information between entities wherein a 

10 plurality of centers are provided, each of which 
generates secret keys peculiar to the entities using 
divided specifying information resulting from division of 
information specifying each of the entities into a 
plurality of blocks ; one entity generates a first common 

15 key using a first component contained in secret keys 
peculiar to the one entity sent from the centers, 
encrypts plaintext to ciphertext using the first common 
key and sends the ciphertext to another entity, the first 
component corresponding to one or more of the divided 

20 pieces of information specifying said another entity; and 
said another entity generates a second common key 
identical to the first common key using ( a second 
component contained in secret keys peculiar to the 
another entity sent from said centers, and decrypts said 

25 ciphertext to the original plaintext using the second 
common key, the second component corresponding to one or 



more of the divided pieces of information specifying the 
one entity; secret keys for first block of divided 
specifying information have a multi-layer structure; and 
secret keys for remaining blocks of divided specifying 
5 information have a single-layer structure. 



14. A secret key generation method for generating 
secret keys peculiar to entities using divided specifying 
information resulting from division of information 
10 specifying said entities into a plurality of blocks, 
wherein: 

computation formulas for generating said secret keys 
are as follows : 



15 



Si 2 = a i H 2 Cl i2 ] + ]3 i2 1 
■ 

S~r=a i H j CTTr] + B U ~T 



SiK = aiH K [IiK] + fl iK 1 
g7T=g arT 1 (mod N) 



20 srT s s a i~" TS ii (mod N) 



1~t=S a ^ < S * i > (mod N) 



'g~^=g a i T< s i i > (mo d N) 



~S~T=S a i ?<S ii > (mo d N) 
2 5 where 



vector Sij is a secret key corresponding to j'th 
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divided specifying information for entity 
i (j = 1, 2, K) 
[vector Iij] is j 1 th divided specifying 
information for entity i; 
5 vector 1 is a vector of dimension K wherein all 

components are 1 ; 
Hj is a symmetrical 2 Mj x 2 Mj matrix made up of 

random numbers; 
Mj is size of j'th divided specifying 
10 information for entity i; 

K is number of block divisions in information 

specifying entity i; 
oti is a personal secret random number for entity 
i (where gcd (a if M N )) = 1 and X( * ) is 
15 Carmichael function); 

N is such that N = PQ (where P and Q are 
prime ) ; 

Pij is a personal secret random number for 
entity i (where pn + pi 2 + • • * + Pik = 

20 MN)); 

g is maximum generating element with modulo N; 
vector g it is a secret key for 1st block of 

specifying information for entity i (t = 0, 
1/ 2/ 1); 
25 T is degree of exponent portion; and 
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if c is a scalar, and A and B are matrixes 
represented in (i) and (ii) below, then the 
expressions B = c A and B = <A> C represent (iii) 
and (iv) below, respectively. 

(i) A = ( a« v ) 

(ii) B = (b uv ) 

(iv) b = a c 



15 15, An encryption method wherein: 

secret keys peculiar to entities are generated using 
divided specifying information resulting from division of 
information specifying each of said entities into a 
plurality of blocks; 

2 0 plaintext is encrypted to ciphertext at one entity 

using a common key generated using a component contained 
in the secret key peculiar to the one entity, the 
component corresponding to divided specifying information 
for another entity that is a destination of said 

25 ciphertext; and 

computation formulas for generating said secret keys 
peculiar to said entities are as follows: 

S~r= ai H 1 CTT] +/3 n T 
"S~T=aiH 2 [Ii2] +0 i2 T 



S77=a i H K Cl iK ] + 0 iK 1 

■i7^= g «r T 1 (mod N) 
~^=g a r TS ii (mod N) 



g 



J^=g a i T< s ii > (mod N) 

i 

^= g af T < >' (mod N) 



i^Hg^i T< s ii > (mod N) 
where 

10 vector sij is a secret key corresponding to j'th 

divided specifying information for entity 
i ( j = 1, 2, . . . , K) 
[vector Iij] is j'th divided specifying 
information for entity i; 
15 vector 1 is a vector of dimension K wherein all 

components are 1; 
Hj is a symmetrical 2 Mj x 2 Mj matrix made up of 

random numbers; 
Mj is size of j'th divided specifying 
20 information for entity i; 

K is number of block divisions in information 
specifying entity i; 

oci is a personal secret random number for entity 
i 

25 (where gcd (a ir MN)) = 1 and X( * ) is 
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Carmichael function) ; 
N is such that N = PQ (where P and Q are 
prime) ; 

pij is a personal secret random number for 
5 entity i 

(where pu + p i2 + + Pik = X(N) ) ; 

g is maximum generating element with modulo N; 
vector git is a secret key for 1st block of 

specifying information for entity i (t = 0, 

10 1,2,..., T); 

T is degree of exponent portion; and 
if c is a scalar, and A and B are matrixes 
represented in (i) and (ii) below, the 
expressions B = c A and B = <A>° represent (iii) 

15 and (iv) below, respectively. 

(i) A= (a tfy ) 

(ii) B = (b wy > 



20 



25 



( ii:L ) h uv = c*u» 
(iv) h = ~ c 



16. The encryption method according to claim 15 f 
wherein computation formulas for generating said common 
keys are as follows: 

30 Soim = S io Clml^ 
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1m 



? r ^ t v T-t 
m 



K im =n g T . 

= g a l T ioT CX Um y i 

T 

= g a "i T (x lirn +y im ) 

T 

= g^ T tai^i"?? cl W ] + " H - H K [ "^ ] [ W ])+ ^ }T 
^ g <H t [T^ ^ +"-+-h k o^] a^i) T (mod N) 



where 

gtim (= vector g it [vector I m i]) is a component 

corresponding to vector I m i for entity m, 
selected from own vector git for 1st block 
of information specifying entity i (t = 0, 
1/ 2/ 

xiim = vector su [vector I m i]; 

Xji m (= vector s±j [vector I m j]) is a component 

corresponding to vector I mj for entity m, 
selected from own vector Sij for j ' th block 
of information specifying entity i (j = 2, 
3 f • • • r K ) ? 



K im is a common key generated by one entity i 

for another entity m; and 
y im is sum of (K-l) components Xj im (j = 2, 3, 

. .., K), that is, y im = x 2 im + x 3 im + ... + 

17. A cryptographic communications method for 
communications of information between entities, wherein 

a plurality of centers are deployed, each of which 
generates secret keys peculiar to said entities using 
divided specifying information resulting from division of 
information specifying each of said entities into a 
plurality of blocks, and sends the secret keys to the 
entities respectively ; 

one entity generates a first common key using a 
first component contained in secret keys peculiar to the 
one entity sent from the centers, encrypts plaintext to 
ciphertext using the first common key, and sends the 
ciphertext to said another entity, the first component 
corresponding to divided specifying information for 
another entity; 

said another entity generates a second common key 
identical to the first common key using a second 
component contained in secret keys peculiar to said 
another entity sent from the centers, and decrypts said 
ciphertext using the second common key, the second 



component corresponding to divided specifying information 
for the one entity; and 

computation formulas for generating said secret keys 
at said centers are as follows: 

s7t =ai H 2 [T77] + 0 i2 T 
■ 

s7T=a i H i [TT] +3ijT 

i 

-i7^=g«f T ~f (mod N) 
■g7^= g «i T s i i (mo d N) 



■g-^=g«i T< s i i > (mod N) 
•g7f=g«r T< s > i ^ (mod N) 

i 

■i7^-g«r T< S iT^ (mod N) 
15 where 

vector sij is a secret key corresponding to j'th 

divided specifying information for entity 

i (j = 1, 2, K) 
[vector Iij] is j 1 th divided specifying 
2 0 information for entity i; 

vector 1 is a vector of dimension K wherein all 

components are 1; 
Hj is a symmetrical 2 Mj x 2 Mj matrix made up of 

random numbers ; 
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Mj is size of j'th divided specifying 

information for entity i; 
K is number of block divisions in information 

specifying entity i; 
cci is a personal secret random number for entity 

i (where gcd (a if X(N) ) = 1 and X( * ) is 

Carmichael function) ; 
N is such that N = PQ (where P and Q are 

prime) ; 

Pij is a personal secret random number for 
entity i (where pn + p i2 + . • • + Pik = 
MN) ) ; 

g is maximum generating element with modulo N; 
vector g it is a secret key for 1st block of 
information specifying entity i (t = 0, 
1, 2 , • • • , T); 
T is degree of exponent portion; and 
if c is a scalar, and A and B are matrixes 
represented in (i) and (ii) below, the 
expressions B = c A and B = <A>° represent 
(iii) and (iv) below, respectively. 

(i) A = ( a tf v ) 

(ii) B= (b uv ) 

(iii) b uv = c a ** 

(iv) = a w , c 



10 



15 



18. The cryptographic communications method 
according to claim 17 , wherein computation formulas for 
generating said common keys are as follows : 



So im~ S ia t Iml^ 



Si im~ Silt I m i] 



S t im = g it C I m i] 
i 

STim~S it t I mi] 



x 2 i m~ S 12 ^ I m 2^ 



x j im S i j ^ Irnj] 



x Kim~ s iK C ^mK^ 



T C yCT-t) 



K im =n g 1 

1 m t=0 t i 

= g^ T t l 0 T CX Um y i 



T? r,t v T-t 



im 
T 



g' 

_ T 
== g«j T ^lim^'^kim* 



_ g a. T tejH^l^] :w ] ^ii^^ a i H K cT nc ] [ W ]+ ^k> T 

^gH^] ^^^ h k c "^k ] [ W ] > T (mod N) 
where 

gtim (= vector g it [vector I m i]) is a component 
corresponding to vector I ml for entity m, 
25 selected from own vector gu for 1st block 
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of information specifying entity i (t = 0, 
1 , 2 , •#•/ T); 
xiim = vector su [vector I m i]; 

Xjim (= vector sij [vector l mj ] ) is a component 

corresponding to vector I mj for entity m, 
selected from own vector s ±j for j 1 th block 
of information specifying entity i (j = 2, 
3/ •••/ K)j 

K ini is a common key generated by one entity i 

for another entity m; and 
y im is sum of (K-l) components x jim (j = 2 r 3, 
. . . , K), that is f y iin = x 2 i m + x 3 i m + . 

+ X K im • 

19. A common key generator provided at entities in 
a cryptographic communications system for generating a 
common key to be used in processing to encrypt plaintext 
to ciphertext and in processing to decrypt ciphertext 
back to plaintext, comprising: 

storage means for storing secret keys peculiar to 
said entities produced, according to computation formulas 
given below, for divided specifying information resulting 
from division of information specifying each of said 
entities into a plurality of blocks; 

selection means . for selecting components 
corresponding to divided specifying information for 



opposite entities to be communicated with, from the 
secret keys stored; and 

means for generating said common keys, according to 
computation formulas given below, using said components 
so selected: 

1 

I ^ 

i 
i 

"i7t=g a r T "^ (mod N) 
-i7f=g«f T s7T (mod N) 
■i^=g a r T< S iT^ (mod N) 

i 

•^=g«f T< s n (mod N) 

i 

^=g«i" T< S ii >T (mod N) 
where 

vector sij is a secret key corresponding to j ! th 
divided specifying information for entity 

i ( j = 1, 2 , ,K) 

[vector I±j] is j 1 th divided specifying 
information for entity i; 
.vector 1 is a vector of dimension K wherein all 
components are 1 ; 
Hj is a symmetrical 2 Mj x 2 Mj matrix made up of 
random numbers; 



67 



Mj is size of j'th divided specifying 

information for entity i; 
K is number of block divisions in information 

specifying entity i; 
oti is a personal secret random number for entity 

i (where gcd (ct if X(U) ) = 1 and X( • ) is 

Carmichael function) ; 
N is such that N = PQ (where P and Q are 

prime) ; 

pij is a personal secret random number for 
entity i (where pn + p i2 + + Pik = 



g is maximum generating element with modulo N; 
vector git is a secret key for 1st block of 
information specifying entity i (t = 0, 

If 2 , •♦•f T)/ 

T is degree of exponent portion; and 
if c is a scalar, and A and B are matrixes 
represented in (i) and (ii) below, the 
expressions B = c A and B = <A> C represent 
(iii) and (iv) below, respectively. 



MN)); 



(i) 



A — ( a u y ) 



(ii) 



B= (b uv ) 



(iii) 



(iv) 



b 



= a 



c 
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10 



15 



St i m~ 8u L i ml-l 
i 

S-Tim—S iT C ImJ 



x 2 im~ S i 2 C I m 23 



x i im s i i I- I m j 3 



Xk i m — S iK t ImK^l 
T c T CT-t) 



t=0 t im 
T 



^S a i T tSoT Cx nm y i 
s 



T-t 
m 



= g«i (3C lim +y im ) 



= g u^) T (mod N) 



where 

2 0 gtim (= vector g it [vector I ra i]) is a component 

corresponding to vector l m i for entity m, 
selected from own vector g it for 1st block 
of information specifying entity i (t = 0, 
If 2/ T)j 

25 xnm = vector s±i [vector I m i]; 

x jira (= vector sij [vector I mj ]) is a component 
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corresponding to vector I m j for entity m, 
selected from own vector Sjj for j'th block 
of information specifying entity i (j = 2, 
3 , * • * r K); 

5 Ki m is a common key generated by one entity i 

for another entity m; and 
y im is sum of (K-l) components Xji m (j = 2, 3, 

• • • r K) / that IS/ yi m = X2im ^3im • * • 

10 

20. A cryptographic communications system for 
reciprocally performing, between a plurality of entities, 
encryption processing for encrypting plaintext that is 
information to be sent into ciphertext and decryption 

15 processing for decrypting ciphertext so sent back into 
original plaintext, comprising: 

a plurality of centers each of which generates 
secret keys peculiar to said entities, according to 
computation formulas given below, using divided 

2 0 specifying information resulting from division of 
information specifying each of said entities into a 
plurality of blocks, and sends said secret keys to said 
entities ; and 

a plurality of entities each of which generates a 
25 common key mutually employed in said encryption and 
decryption processing when communicating with another 



entity, according to computation formulas given below, 
using a component contained in own secret key sent from 
said centers, the component corresponding to divided 
specifying information for said another entity: 



"srT=aiH l Cl il ] + Sn 1 



"s7T=aiH 2 [I i2 ] + 0 i2 1 



S i0 = 8 ' (mod N) 

» i 1 



10 T~T=s a ' TS ' i (mod N) 



i^=g«i T <S n > (mod N) 

i 

~i7^=g a f T< s ii >l (mo d N) 



i^=g a i T< S m ^ (mod N) 
where 

15 vector sij is a secret key corresponding to j ' th 

divided specifying information for entity 
i ( j = 1 , 2, . . . , K) 
[vector Iij] is j 1 th divided specifying 
information for entity i; 
20 vector 1 is a vector of dimension K wherein all 

components are 1 ; 
Hj is a symmetrical 2 Mj x 2 Mj matrix made up of 

random numbers; 
Mj is size of j'th divided specifying 
25 information for entity i; 
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K is number of block divisions in information 

specifying entity i; 
cxi is a personal secret random number for entity 
i (where gcd (a if X(N) ) = 1 and X( • ) is 
5 Carmichael function); 

N is such that N = PQ (where P and Q* are 
prime) ; 

Pij is a personal secret random number for 

entity i (where Pu + Pi 2 + . . . + Pik = 

10 MN)); 

g is maximum generating element with modulo N; 
vector git is a secret key for 1st block of 
information specifying entity i (t = 0, 
1, 2, T); 
15 T is degree of exponent portion; and 

if c is a scalar, and A and B are matrixes 
represented in (i) and (ii) below, the 
expressions B = c A and B = <A> C represent 
(iii) and (iv) below, respectively. 

20 

(i) A = ( a tf y ) 

(ii) B= (b„„) 
25 (iii b wy = c a *» 
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10 



15 



Si im"~S ii C Iml^ 
i 

! ^ r"T~*i 

St im"" Sit L l m l J 



STim"~S iT t I m i] 



x 2 im"" S i 2 C l m 2^ 



im ^ i j E I m j 1 



x Kim~ s iK t ImK^ 



t c y a-t) 



im t=0 ti 



im 
T 



T-t 
m 



T 



= g«i T ^lim^-^kim* 



= g ^^^ h k^ ] C W^ T (mod N) 



where 

gtim (= vector g it [vector Imi]) is a component 

corresponding to vector l m i for entity m, 
selected from own vector gi t for 1st block 
20 of information specifying entity i (t = 0, 

1/ 2, •••/ T); 
xiim = vector sn [vector I m i]; 
Xjim (= vector s±j [vector I m j ] ) is a component 
corresponding to vector I m j for entity m, 
25 selected from own vector sij for j T th block 
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of information specifying entity i (j = 2, 
3/ •••/ K); 

K im is a common key generated by one entity i 

for another entity m; and 
y im is sum of (K-l) components x jim (j = 2, 3, 
. K) , that is, y im = x 2 im + x 3 im + 

21. A computer readable recording medium for 
storing a program that generates at entities involved in 
communications a common key mutually used in processing 
to encrypt plaintext to ciphertext and in processing to 
decrypt said ciphertext back to said plaintext in a 
cryptographic communications system, comprising: 

first program code means for causing said computer 
to select a component corresponding to divided specifying 
information of one entity that is a ciphertext recipient 
from a secret key peculiar to another entity that is a 
ciphertext sender, according to computation formulas 
given below, for each of divided specifying information 
resulting from division of information specifying each of 
said entities into a plurality of blocks; and 

second program code means for causing said computer 
to generate said common key, according to computation 
formulas given below, using said components selected: 



S7T=aiH 2 [I i2 ] + 0 i2 1 

i 
i 
i 
I 

i 
i 

-i7^-g«r T "^ (mod N) 
► 

-i~^=g«i TS ii (mod N) 
■g~^=g«r T< s i (mod N) 

i 
i 

-i7f=g«f T< s i T ^ (mod N) 

i 

t 

7^"=g«r T< S ii >T (mod N) 
where 

vector sij is a secret key corresponding to j'th 

divided specifying information for entity 

i (j = 1/ 2 , .../ K) 
[vector Iij] is j ' th divided specifying 

information for entity i; 
vector 1 is a vector of dimension K wherein all 

components are 1; 
Hj is a symmetrical 2 Mj x 2 Mj matrix made up of 

random numbers; 
Mj is size of j 1 th divided specifying 

information for entity i; 
K is number of block divisions in information 

specifying entity i; 
cci is a personal secret random number for entity 
i (where gcd (cx if k(U) ) = 1 and X( * ) is 



Carmichael function); 
N is such that N = PQ (where P and Q are 
prime) ; 

Pij is a personal secret random number for 
5 entity i (where pn + pi 2 + * * • + Pik = 

X(N)); 

g is maximum generating element with modulo N; 
vector g it is a secret key for 1st block of 

information specifying entity i (t = 0, 

10 1, 2, . . . , T) ; 

T is degree of exponent portion; and 
if c is a scalar, and A and B are matrixes 
represented in (i) and (ii) below, the 
expressions B = c A and B = <A> C represent 
15 (iii) and (iv) below, respectively. 



(i) A = ( a^ y ) 

(ii) B- (b ffP ) 

(iii) b uv = c a ^ 
( iv > b„ y = a„ c 



20 



25 



Soirn ^ io C I m i U 

Si im = S il t I m i3 
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St irn^S it C 
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8Tim = S iT E iml^ 
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T C y CT-t) 

Kim ^n g T . Ctyim 

= S 1 t^o T * im ir 

= g«i ^1 im +y im } 



lm 



-T \ 



g 



= g 

where 



g' 

- g (H^] [W ^h^iS [ W ] > T (mod N) 



gtim (= vector g it [vector I m i]) is a component 
corresponding to vector I m i for entity m, 
selected from own vector g it for 1st block 
of information specifying entity i (t = 0 r 
1/ 2 f 1)f 

xum = vector Sn [vector I m i]; 

x jim (= vector s ±j [vector l mj ] ) is a component 

corresponding to vector I mj for entity m, 
selected from own vector sij for j'th block 
of information specifying entity i (j = 2, 
3/ • . • t K); 

K im is a common key generated by one entity i 

for another entity m; and 
y im is sum of (K-l) components x jim (j = 2, 3, 



, K), that is, y im = x 2 i m + x 3 i m + — 

+ XKim» 

22. A computer data signal embodied in a carrier 
wave for generating at entities involved in 
communications common keys used in processing to encrypt 
plaintext to ciphertext and in processing to decrypt said 
ciphertext to said plaintext in a cryptographic 
communications system, comprising: 

first code segment for causing a computer to select 
a component corresponding to one or more of divided 
pieces of information specifying one entity from a secret 
key peculiar to another entity; and 

second code segment for causing said computer to 
generate said common keys using said components selected. 

23. A computer data signal embodied in a carrier 
wave for generating at entities involved in 
communications a common key mutually used in processing 
to encrypt plaintext to ciphertext and in processing to 
decrypt said ciphertext back to said plaintext in a 
cryptographic communications system, comprising: 

first code segment for causing a computer to select 
a component corresponding to divided specifying 
information of one entity that is a ciphertext recipient 
from a secret key peculiar to another entity that is a 
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ciphertext sender, according to computation formulas 
given below, for each of divided specifying information 
resulting from division of information specifying each of 
said entities into a plurality of blocks; and 
5 second code segment for causing said computer to 

generate said common key, according to computation 
formulas given below, using said components selected: 

I 
I 
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Si 


t = s 1 


-t < S , T ( m0 d 


N) 


Si 


T s s ai 


_T < S i ! > (mod 


N) 



where 



vector sij is a secret key corresponding to j 1 th 
2 0 divided specifying information for entity 

i (j = 1, 2 , K) 
[vector Iij] is j'th divided specifying 

information for entity i; 
vector 1 is a vector of dimension K wherein all 
25 components are 1; 
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Hj is a symmetrical 2 Mj x 2 Mj matrix made up of 

random numbers; 
Mj is size of j 1 th divided specifying 

information for entity i; 
K is number of block divisions in information 

specifying entity i; 
oci is a personal secret random number for entity 

i (where gcd (en, ) = 1 and M') is 

Carmichael function); 
N is such that N = PQ (where P and Q are 
prime) ; 

Pij is a personal secret random number for 
entity i (where pn + Pi2 + • • • + Pik - 
X(N)); 

g is maximum generating element with modulo N; 

vector g±t is a secret key for 1st block of 

information specifying entity i (t = 0, 
1 , 2 , T); 

T is degree of exponent portion; and 

if c is a scalar, and A and B are matrixes 
represented in (i) and (ii) below, the 
expressions B = c A and B = <A> C represent 
(iii) and (iv) below, respectively. 

(i) A = ( a y „ ) 
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(ii) B= (b„ y ) 

(iii) b uv = c a ^ 



( iv ) b tf „ = a„ y c 



Sq i m~ S iO t I m il 



Siim S i i C I ml 3 



Stim Sit C I m i D 



St i m~~ S iT t I m i H 



^2 im~ S i2 C I m 2^ 



x . . = s . r T .1 



X K i m~~ S iK t I mK^ 

t c y cr-t> 

k- =n g T t im 



t— 0 t im 

T-t 
im 



^g«i T t S 0 T Cx i t im y h 



T 

= g"i T (x Hm +y im ) 



T 

} 



== g «itTf5 C^- +H K cl iK ] C W^> T (mod N) 
where 

gtim (= vector g it [vector I m i]) is a component 
corresponding to vector Imi for entity m, 
selected from own vector g it for 1st block 
of information specifying entity i (t = 0, 
1/ 2/ T); 
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xiim = vector s u [vector I m i]; 

x jim (=* vector [vector I mj ] ) is a component 

corresponding to vector I m j for entity m, 
selected from own vector sij for j'th block 
of information specifying entity i (j = 2, 
3 , . • • / K ) ; 

K im is a common key generated by one entity i 

for another entity m; and 
y im is sum of (K-l) components x 3im (j = 2, 3, 
. K) , that is, y im = x 2 im + x 3 im + 

+ XKim* 
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ABSTRACT OF THE DISCLOSURE 



A cryptographic communications method based on ID- 
NIKS, wherewith mathematical structures are minimized, 
5 the collusion problem can be circumvented, and building 
the cryptosystem is simplified. A plurality of centers 
are provided for distributing a plurality of secret keys 
to a plurality of entities, respectively. Each secret key 
is unique to each entity. Information specifying the 

10 entities (entity ID information) is divided into a 
plurality of pieces or segments. All secret keys produced 
for the pieces of entity ID information are distributed 
to the entities. Using a component contained in the 
secret key peculiar to itself, each entity generates a 

15 common key to be shared by another entity. This component 
corresponds to a piece of ID information of another 
entity. 
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